Meet the Patch Man
Eric Schultze is to patching what J.K. Rowling is to fantasy fiction: the Big Kahuna. As chief security architect at Shavlik Technologies, Schultze helps develop patch solutions for the high-
profile Roseville, Minn.-based security company. Before that, he was a
program manager for the Microsoft Security Response Center and a senior technologist in the Trustworthy
Computing team at Microsoft. He answered questions from Redmond Managing Editor Keith Ward on the state of patching today.
What are your chief duties
I architect Shavlik solutions, build new features for products, architect spyware and other security products we'll be putting out this year, and research all Microsoft patches.
What do you think of
Windows Server Update
I think it will be a viable solution for a large number of customers. Certainly [there are] improvements over SUS (Software Update Services) 1.0 in that it can update more products, especially Office products.
Is Shavlik afraid that Microsoft's patching strategy will put it out of business?
It's certainly something we think about, but we don't see an issue. WSUS is limited in its abilities. It doesn't cover Windows NT. [The
earliest version of Office it supports is] Office XP SP2. It doesn't cover Office 2000. It starts with Exchange 2003. We have yet to see it support SQL Server. We've added [support for] WinZip and Apache and will be adding Firefox, Adobe, Google
Shavlik's Eric Schultze: "Hackers are getting lazier now. Pushing a button gets you to the first machine, but not to the machines behind the first machine." (Click image to view larger version.)
Microsoft field reps use our tools
for their customers because they weren't getting the support from the Microsoft toolsets. The reporting in WSUS is still very, very weak. We
just announced a report server
offering, [that includes] rich reporting pieces, for companies that need
compliance reporting; they won't get it from WSUS.
You participated in the famous Trustworthy Computing
initiative. Why are so many
holes still being found in Microsoft products?
The bug scrub, and [companion]
training and knowledge, was really exciting. Developers weren't in the mindset of even looking for bugs. There were loads of bugs that were identified and fixed. Had that not occurred, that number [of typical fixes on patch days] would be much larger. Also, [there's still] legacy code from Windows 3.11 and NT.
What are the greatest
security threats facing
network admins today?
Simply not knowing what's out there. How do they know their machines are secure? How do they know there's not
a hacker on their network? I'd be
concerned about spyware since it's no longer benign—Trojans and keystroke loggers are now automated, where they used to be manual.
There's also the constant problem with keeping up with the patches Microsoft is releasing. Nimda woke people up, SQL Slammer woke people up, but they were [just] patching their servers. With the Blaster worm,
people said, "We'd better start
patching our desktops."
What's happening in the hacker community these days?
Hackers are getting lazier now, because [so many attacks are]
automated. I call it ‘push-button
hacking.' Pushing a button gets you to the first machine, but not to the machines behind the first machine.
If you could make consumers do just one thing to make their computers safer, so that the Internet is safer for the rest of us, what would it be?
Turn on their personal firewall.
Without a doubt, that's the No. 1 thing. Get that implemented, make that box effectively disappear from the network. The next thing is to turn on Windows Update.
Keith Ward is the editor in chief of Virtualization Review.